@@ -14,37 +14,77 @@ namespace PingCastle.Healthcheck.Rules
1414 [ RuleSTIG ( "V-63577" , "Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\ \\ *\\ SYSVOL and \\ \\ *\\ NETLOGON shares." , STIGFramework . Windows10 ) ]
1515 [ RuleMaturityLevel ( 2 ) ]
1616 [ RuleMitreAttackTechnique ( MitreAttackTechnique . ManintheMiddleLLMNRNBTNSPoisoningandSMBRelay ) ]
17- [ RuleIntroducedIn ( 2 , 10 , 1 ) ]
17+ [ RuleIntroducedIn ( 2 , 10 , 1 ) ]
1818 public class HeatlcheckRuleAnomalyHardenedPaths : RuleBase < HealthcheckData >
1919 {
2020 protected override int ? AnalyzeDataNew ( HealthcheckData healthcheckData )
2121 {
2222 if ( healthcheckData . GPOHardenedPath == null )
2323 return null ;
24+ bool netlogon = false ;
25+ bool sysvol = false ;
2426 foreach ( var policy in healthcheckData . GPOHardenedPath )
2527 {
26- if ( policy . RequireIntegrity == false || policy . RequireMutualAuthentication == false )
28+ if ( string . IsNullOrEmpty ( policy . GPOId ) )
2729 {
28- bool anomaly = false ;
29- if ( policy . Key . IndexOf ( "SYSVOL" , StringComparison . OrdinalIgnoreCase ) > 0 || policy . Key . IndexOf ( "NETLOGON" , StringComparison . OrdinalIgnoreCase ) > 0 )
30+ continue ;
31+ }
32+ if ( healthcheckData . GPOInfoDic == null || ! healthcheckData . GPOInfoDic . ContainsKey ( policy . GPOId ) )
33+ {
34+ continue ;
35+ }
36+ var refGPO = healthcheckData . GPOInfoDic [ policy . GPOId ] ;
37+ if ( refGPO . IsDisabled )
38+ {
39+ continue ;
40+ }
41+ if ( refGPO . AppliedTo == null || refGPO . AppliedTo . Count == 0 )
42+ {
43+ continue ;
44+ }
45+
46+ bool anomaly = false ;
47+ if ( policy . Key . IndexOf ( "SYSVOL" , StringComparison . OrdinalIgnoreCase ) > 0 )
48+ {
49+ sysvol = true ;
50+ if ( policy . RequireIntegrity == false || policy . RequireMutualAuthentication == false )
51+ {
52+ anomaly = true ;
53+ }
54+ }
55+ else if ( policy . Key . IndexOf ( "NETLOGON" , StringComparison . OrdinalIgnoreCase ) > 0 )
56+ {
57+ netlogon = true ;
58+ if ( policy . RequireIntegrity == false || policy . RequireMutualAuthentication == false )
3059 {
3160 anomaly = true ;
3261 }
33- else
62+ }
63+ else
64+ {
65+ foreach ( var dc in healthcheckData . DomainControllers )
3466 {
35- foreach ( var dc in healthcheckData . DomainControllers )
67+ if ( policy . Key . StartsWith ( " \\ \\ " + dc . DCName + " \\ " , StringComparison . OrdinalIgnoreCase ) && policy . Key . Contains ( "*" ) )
3668 {
37- if ( policy . Key . StartsWith ( " \\ \\ " + dc . DCName + " \\ " , StringComparison . OrdinalIgnoreCase ) && policy . Key . Contains ( "*" ) )
69+ if ( policy . RequireIntegrity == false || policy . RequireMutualAuthentication == false )
3870 {
3971 anomaly = true ;
4072 }
4173 }
4274 }
43- if ( anomaly )
44- {
45- AddRawDetail ( policy . GPOName , policy . Key , GetString ( policy . RequireIntegrity ) , GetString ( policy . RequireMutualAuthentication ) , GetString ( policy . RequirePrivacy ) ) ;
46- }
4775 }
76+ if ( anomaly )
77+ {
78+ AddRawDetail ( policy . GPOName , policy . Key , GetString ( policy . RequireIntegrity ) , GetString ( policy . RequireMutualAuthentication ) , GetString ( policy . RequirePrivacy ) ) ;
79+ }
80+ }
81+ if ( ! netlogon )
82+ {
83+ AddRawDetail ( "No GPO Found" , "NETLOGON" , "Not Set" , "Not Set" , "Not Set" ) ;
84+ }
85+ if ( ! sysvol )
86+ {
87+ AddRawDetail ( "No GPO Found" , "SYSVOL" , "Not Set" , "Not Set" , "Not Set" ) ;
4888 }
4989 return null ;
5090 }
0 commit comments